cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
997
Views
0
Helpful
27
Replies
m-abooali
Enthusiast

HSRP between two 3800 series Cisco router- Need help!

Hi Guys,

I have two 3825 Cisco routers connected to a datacenter using two private circuits:

one private 100 MB ether connection as primary

one private DS3 as backup circuit

I am using all static so no IGP is used.

I have configured these two routers having the 100 MB as my primary link on my primary router and the DS3 as secondar/backup on my secondary router.

I have the following configuration but it is not working and I don't know why.

I would appreciate if some one could help me in right direction please as I do not trust the config being all right!

Primary Router:

interface FastEthernet0/0

description secondaary router

ip address 10.10.1.1 255.255.255.0(Ip addresss for the 100 MB Ethet link on my primary router)

no ip redirects

duplex auto

speed auto

standby 1 ip 10.10.1.2

!

(This puts both routers interfaces in the same subnet, with a common standby group of 1 on that link. So both routers

are responsible for acting together as the virtual router 10.10.1.2 Hosts are configured with a static default gateway,

IP address that of the virtual router, 10.10.1.2 Virtual router)

!

standby 1 timers 5 15

standby 1 priority 95

standby 1 preempt

standby 1 authentication username

standby 1 track Ether Interface for 100 MB ckt (GE0/0) on this router

Secondar Router:

interface FastEthernet0/0

description secondaary router

ip address 10.10.1.3 255.255.255.0 (Ip addresss for the 100 MB Ethet link on my primary router)

no ip redirects

duplex auto

speed auto

standby 1 ip 10.10.1.2 (This puts both routers interfaces in the same subnet, with a common standby group of 1 on that link. So both routers

are responsible for acting together as the virtual router 10.10.1.2 Hosts are configured with a static default gateway,

IP address that of the virtual router, 10.10.1.2 Virtual router)

!

standby 1 timers 5 15

standby 1 priority 95

standby 1 preempt

standby 1 authentication username

standby 1 track Interface of the DS3 Circit on this router

do I need to specify anything in the Global coonfig too?

I have attached a .txt file for this configuration. I wonder if I have missed something, may be at the global command level? I don't think there is any?

Thanks,

Mike

27 REPLIES 27

Hi Arun,

I did the router on the stick configuration but i am not sure if I had to use two physical interfaces and create one subinterface under each physical or create both subinterfaces under a single GE0/0 interface on the router (which is what i have done).

I rather use two interfaces on the router (Both of the GE0/0).

as far as the switch, i am planning to do:

create vlan2

create vlan3

VTP server mode

and assign two ports on switch to be the trunk for those two links. what I don't know is wether Ineed two trunks or just one given that we havetwo routers? should I terminate both cirsuits on one router or on the two routers for this configuration and for HSRP to work?

I can use a little help please.

Is there any other way to get my original L3 configuration on the switch to work? can I use that configuration and use something else for redundancy on the routers? I don't have BGP AS# yet, othetwise I could have used that!?

Thx,

Mike

Hi Arun,

Well, things have changed since i have received informations that i didn't have. I have attached a .pdf Visio drawing explaning the new requirment from me.

I am thinking of using policy routing, route-map-next hop, ACL, IP Router, etc. but i am not sure really what direction to take.

there are Linux server with two NICs one private and one Public and they need to be in both internal and external VLANs on the core 4500 switch, hitting the netscreen firewall and then the router an dout through one of the circuits.

at this point the redundancy of those circits is not that important anymore since later I will use BGP with the providers to do that.

I need to figure out how these internal and extrenal vlan traffics will hit the firewaall and router and go out of the 100 MB link to the Internet?

I am lost at this point!?

Please see if you guys can shae your thoughts with me.

Regards,

Mike

philipbray2005
Beginner

On the primary change the priority to higher

tham the secondary e.g.

standby 1 priority 100

thanks much for your input. I did changed the priorities but the scenario has now changed based on the new information that I received which I did not have before.

The Public Subnets were not in the Picture as well as the netwscreen juniper firewal but they are now.

I will have one internal vlan for the internal private subnet and two other vlans for the two public subnets, each subnet from a different provider which we will connect to the Internet.

now, I am not really sure how to handel the routing since we have some linus servers with dual NICs, one private and one public which i didn't know when i posted my original question and intended/proposed design from the switch up to the two routers.

All the routing must be static for now until a few months later in future that we move to BGP for redundancy at the links to the Internet.

Also, I am really stenger to Juniper stuff in this case Juniper netscreen 25 firewall!

I can use all the help I can get to start on this. I have posted a .pdf document with the drawing on teh network and the way the need it to work.

Please advsie.

Thx,

Mike

Hi mike

Its good u finaly came up with a diagram.. :)

I am not able to understand the requirement properly,iwth respect to the diagram..maybe my problem... ;)

can u pls explain little more on this so that we can sort out this...

Hope experts will through their view into it...

arun

I am glad to have that diaram too!

it was based on the latest information that I received. one office, one private or internal subnet but in this office we have linux servers with two NICs, one with private IP address from that only private subnet/24 and the other one from the two blocks of Public Ip addresses that we have got from two providers. these Ip blocks will also be in the two circuits connecting the office to the Internet.

To make the situation worst, I cannot use any dynamic IP routing at this time, may be later so I have to stick with static routing which has left me optionless on what would be the best and fastest way to get them all hocked up.

I have ordered one Cisco L3 4500 Switch and two Cisco Router 3845 but currently they have two Juniper Netscreen firwalls and they want to use it (i don't know any Junipers).

So, I need to create:

vlan 2 for managemnet (using IP from the same private subnet) say 10.10.1.0/24

VLAN3 or Internal (using the same private subnet)

VLAN4 (using one of the Public IP blocks)

VLAN5 (using the other Public Block)

Now, I wonder what would I need to do to route these subnets (traffic) from the VLANS on the 4500 to the Netscreen Firwall an dto the router and out to the Internet?

or, private traffic from Internal Vlan to the routers and external vlans to the Firewall?

or all the VLANs to the router, use rout-map next-hop and match plus IP routes and ACLs and define the Netscreen firewall as the next hop to he router and have the netscreen firewall route them out though the routers (again back to router) and out though the links - One primary 100 MB Ether and one Seconday DS3 (backup, could be active/active, or active /passive).

I hope that by now you know my delima!? how do I need to do this when there is no BGP at the external links and no IGP (EIGRP or OSPF) internally?

the more I think, I end up with PBR and rout-map defining next hop, may be two of them? and match the IPs/traffic using IP route and ACLs?

do you think this will do it? is there any other ways to tackle this design?

the fact that I only have two weeks toget this design completed and tested here and then send devices to the remote office where the can be plugged in based on the final diagram. one of my co-worker will go for that connecting issue and i will be starting a seocnd design but I have enough time fo rthat second one and i may be able to use IGP sine i will not have public IPs for the second design.

I hope that I was able to provide enough information. please do not hesistate to ask me any information that you may think is missing. at this time I am trying to come up with PBR config and am playing with the commands, seeing myself sitting on the Switch looking out and then on the routers looking out and looking back in to see if I can see the pattern happening using the route-map stuff?

I am sorry for this long explanation but I thought it was necessary.

at one point I decided to go with router on stick scenario but it defeats the whole idea of having the 4500!?

please advise,

Regards,

Mike

Hi mike,

Yes,router on stick will defeat the purpous of 4500.....

Why is there a connection directly given from the switch to firewall in daigram,when ur requirement is to route traffic via firewall..??

If u are going for active\active at routers for the external link utilization(ie,load share the traffic going out),then very well u can go with PBR.

but i dont know how u would go with redundancy in this scenario!!!!!!!! :(

without dynamic routing protocol,if the links fails how will the switch comes to know ,as static routes(and PBR) will still forward traffic..

arun

Weel Aurn, this is the one million dollar question for me!

If I can get this to work even in the active/passive mode and change over manually at this time I will go for it until later that we bring dynamic routing in place.

The link is there since the Firewall will be sitting somehow betwwen the core switch andteh routers, I might be wrong here!

I wantted to add a Cisco 3500 switch in the mix to connect the firewall's external traffic to it and basically divide internal traffc from the external but yet again the question comes to mind that my two vlans with external public IP paddresses are on the switch, so how woud I divide the traffic?

As far as the reducndancy, both links from the core 4500 switch to the router will share a same internal Ip subnet so i can have a common virtual router IP for HSRP but I don't know how I would deal with the two different Public IP subnets (two public/external vlans on the core switch)?

I am open to suggestions and cna use any amount of help that I can get looking at this a pilot design experience for the next offoce.

but I am shor on time and still have no clear idea of how I should go about this?

Please advise.

Regards,

Miks

well, Arun,

I really don't have an answer to thos equestion except that we can go for active/passive and no loadsharing/load balancing at this time. I just need to get this owrking given the VLANs and the devices in the mix.

later i will get AS# and will do BGP with the provider and may be EIGRP on the inside network but first, they waant it static (i.e. my boss wants it static sinc ethere is no time left...!)

your thoughss?/

Regards

Mike

Arun,

I have attached a different diagram. the two links you see going from the Juniper firewalls to the routers are to specidy inside and outside connections of the Firewall.

what is confusing me is the fact that i will be having External/Public IP vlans on my inside core 4500 Switch!? how should I deal with that?

Hope that this diagram shows more information.

Thx,

Mike

hey Arun,

I have been waiting on your response on my two previous posting. please see if you can help given the new information. ples ee the enclosed document in my previous posting/response to you.

Thx,

Mike

jvhaysx
Beginner

1. You cannot have the same priority on both sides (priority 95) - one priority must be higher so it is clearly the Active router.

2. Assuming that normal traffic flows through the Primary router via Fa0/0 and Gi0/0, then if Gi0/0 fails the secondary router becomes the HSRP Active router and traffic flows out the DS3.

However, the command 'standby 1 track' on the secondary router is useless because normally the secondary router is not passing traffic - it is in standby mode most of the time. The only time it is Active is when the Primary Gi0/0 has failed and if a second failure occurs with the DS3 you don't want it failing back to the Primary. The 'track' command should be on one side only.

Hope this helps.

Hi mike

I am really confused with ur scenario and requirement !!!!!! maybe b'cas of my inexperience..

What i understood from ur scenario i suggest the following

1.For traffic from local host to linux server

Do normal configuration for intervlan routing at L3 switch(4500).The server will be accessed by internal host on the internal private IP NIC of server..The default gateway for host should be SVI ip configured for vlan at 4500.

2.For traffic going outside

Put a default route on 4500 towards the routers (or virtual ip)

3.Redundancy for routers

You require an L2 switch for this between router and 4500.Put the two internal interface of the router in same subnet and configure for HSRP at physical interface level..the virtual ip here should be the next-hop for the default route i mentioned in point 2.

3.For traffic coming into the network

U can put static routes towards each inside vlan networks

I dont know if this would help better..let see...

This topic has gone long and other experts may take lot of time to read all the post and come to the latest update.I would suggest u to put a new topic in forum with all your latest requirements ,so that others can also respond to it and provide u proper inputs..

arun